Actions
Bug #2741
closedosmo-ggsn segfaults after receiving SIGINT
Start date:
12/12/2017
Due date:
% Done:
100%
Spec Reference:
Description
while running osmo-ggsn in osmo-gsm-tester, at the time osmo-gsm-tester wants to finish the test it sends a SIGINT to stop osmo-ggsn.
After the SIGINT is sent, a segfautl can be sen in dmesg:
[1887221.478570] osmo-ggsn[20927]: segfault at b0 ip 00007f7a1a7d29a3 sp 00007ffe630d91f0 error 6 in libgtp.so.2.0.0[7f7a1a7ca000+11000]
The attached core file shows the following bt
Program terminated with signal SIGSEGV, Segmentation fault. (gdb) bt #0 gtp_delete_context_req (gsn=0x0, pdp=0x7f7a1a9dd5c0 <pdpa>, cbp=0x4, teardown=1) at gtp.c:2309 #1 0x000000000040453f in pool_close_all_pdp (pool=0x7ffe630d9200) at ggsn.c:109 #2 0x0000000000405b66 in apn_stop (apn=0x14b2b50, force=false, force@entry=true) at ggsn.c:117 #3 0x0000000000406635 in ggsn_stop (ggsn=ggsn@entry=0x14b2690) at ggsn.c:868 #4 0x00000000004028d2 in ggsn_stop (ggsn=0x14b2690) at ggsn.c:863 #5 main (argc=3, argv=<optimized out>) at ggsn.c:1002
It seems the pointer passed as parameter to pool_close_all_pdp is corrupted somehow, because it's not the one in the structure:
(gdb) frame 2 #2 0x0000000000405b66 in apn_stop (apn=0x14b2b50, force=false, force@entry=true) at ggsn.c:117 (gdb) print apn $3 = (struct apn_ctx *) 0x14b2b50 (gdb) print *apn $4 = {list = {next = 0x14b2fa0, prev = 0x14b26a0}, ggsn = 0x14b2690, started = true, cfg = { name = 0x14b2410 "internet", description = 0x0, name_list = {next = 0x14b2b80, prev = 0x14b2b80}, apn_type_mask = 1, gtpu_mode = APN_GTPU_MODE_TUN, shutdown = false, tx_gpdu_seq = true}, tun = {cfg = { dev_name = 0x14b2980 "tun4", ipup_script = 0x0, ipdown_script = 0x0}, tun = 0x146d6e0, fd = {list = { next = 0x14b3010, prev = 0x7f7a19f3e950 <osmo_fds>}, fd = 5, when = 1, cb = 0x404cd0 <ggsn_tun_fd_cb>, data = 0x14b2b50, priv_nr = 0}}, v6_lladdr = {__in6_u = {__u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}, v4 = {cfg = {ifconfig_prefix = { addr = {len = 4 '\004', {v4 = {s_addr = 31330480}, v6 = {__in6_u = { __u6_addr8 = "\260\020\336\001", '\000' <repeats 11 times>, __u6_addr16 = {4272, 478, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {31330480, 0, 0, 0}}}}}, prefixlen = 24 '\030'}, static_prefix = {addr = { len = 0 '\000', {v4 = {s_addr = 0}, v6 = {__in6_u = {__u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}}}, prefixlen = 0 '\000'}, dynamic_prefix = {addr = {len = 4 '\004', {v4 = {s_addr = 14553264}, v6 = {__in6_u = { __u6_addr8 = "\260\020\336", '\000' <repeats 12 times>, __u6_addr16 = {4272, 222, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {14553264, 0, 0, 0}}}}}, prefixlen = 24 '\030'}, dns = {{len = 4 '\004', { v4 = {s_addr = 134744072}, v6 = {__in6_u = {__u6_addr8 = "\b\b\b\b", '\000' <repeats 11 times>, __u6_addr16 = {2056, 2056, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {134744072, 0, 0, 0}}}}}, { len = 4 '\004', {v4 = {s_addr = 67635208}, v6 = {__in6_u = { __u6_addr8 = "\b\b\b\004", '\000' <repeats 11 times>, __u6_addr16 = {2056, 1032, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {67635208, 0, 0, 0}}}}}}}, pool = 0x14b2d80}, v6 = {cfg = {ifconfig_prefix = { addr = {len = 0 '\000', {v4 = {s_addr = 0}, v6 = {__in6_u = {__u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}}}, prefixlen = 0 '\000'}, static_prefix = {addr = {len = 0 '\000', {v4 = {s_addr = 0}, v6 = {__in6_u = { __u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}}}, prefixlen = 0 '\000'}, dynamic_prefix = {addr = {len = 0 '\000', {v4 = { s_addr = 0}, v6 = {__in6_u = {__u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}}}, prefixlen = 0 '\000'}, dns = {{len = 0 '\000', {v4 = { s_addr = 0}, v6 = {__in6_u = {__u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}}}, {len = 0 '\000', {v4 = {s_addr = 0}, v6 = {__in6_u = { __u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}}}}}, pool = 0x0}} (gdb) print apn->v4 $5 = {cfg = {ifconfig_prefix = {addr = {len = 4 '\004', {v4 = {s_addr = 31330480}, v6 = {__in6_u = { __u6_addr8 = "\260\020\336\001", '\000' <repeats 11 times>, __u6_addr16 = {4272, 478, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {31330480, 0, 0, 0}}}}}, prefixlen = 24 '\030'}, static_prefix = {addr = { len = 0 '\000', {v4 = {s_addr = 0}, v6 = {__in6_u = {__u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}}}, prefixlen = 0 '\000'}, dynamic_prefix = {addr = {len = 4 '\004', {v4 = {s_addr = 14553264}, v6 = {__in6_u = { __u6_addr8 = "\260\020\336", '\000' <repeats 12 times>, __u6_addr16 = {4272, 222, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {14553264, 0, 0, 0}}}}}, prefixlen = 24 '\030'}, dns = {{len = 4 '\004', {v4 = { s_addr = 134744072}, v6 = {__in6_u = {__u6_addr8 = "\b\b\b\b", '\000' <repeats 11 times>, __u6_addr16 = {2056, 2056, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {134744072, 0, 0, 0}}}}}, { len = 4 '\004', {v4 = {s_addr = 67635208}, v6 = {__in6_u = { __u6_addr8 = "\b\b\b\004", '\000' <repeats 11 times>, __u6_addr16 = {2056, 1032, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {67635208, 0, 0, 0}}}}}}}, pool = 0x14b2d80} (gdb) print apn->v4.pool $7 = (struct ippool_t *) 0x14b2d80
So, we have apn->v4.pool=0x14b2d80 and in the code we have the following call: pool_close_all_pdp(apn->v4.pool);
However, according to gdb:
(gdb) frame 1 #1 0x000000000040453f in pool_close_all_pdp (pool=0x7ffe630d9200) at ggsn.c:109
So I'm not sure how could that happen. Stack corruption?
Also, last lines of osmo-ggsn log before crashing:
20171212153454402 DGGSN <0002> ggsn.c:525 PDP(901700000009031:5): Processing create PDP context request for APN 'ims' 20171212153454402 DGGSN <0002> ggsn.c:635 PDP(901700000009031:5): APN doesn't support requested EUA / AF type 20171212153454403 DLGTP <000d> pdp.c:255 Begin pdp_tiddel tid = 5130900000007109 20171212153454403 DLGTP <000d> pdp.c:262 End pdp_tiddel: PDP found 20171212153454484 DGGSN <0002> ggsn.c:702 PDP(901700000009031:6): Packet received on APN(inet46): forwarding to tun tun46 20171212153459202 DGGSN <0002> ggsn.c:342 PDP(901700000009031:6): Deleting PDP context 20171212153459202 DLGTP <000d> pdp.c:255 Begin pdp_tiddel tid = 6130900000007109 20171212153459202 DLGTP <000d> pdp.c:262 End pdp_tiddel: PDP found 20171212153506145 DLGTP <000d> gtp.c:1522 gtp_create_pdp_ind: Before pdp_tidget 20171212153506145 DLGTP <000d> pdp.c:275 Begin pdp_tidget tid = 5130900000007109 20171212153506145 DLGTP <000d> pdp.c:283 Begin pdp_tidget. Not found 20171212153506145 DLGTP <000d> pdp.c:237 Begin pdp_tidset tid = 5130900000007109 20171212153506145 DLGTP <000d> pdp.c:246 End pdp_tidset 20171212153506145 DGGSN <0002> ggsn.c:525 PDP(901700000009031:5): Processing create PDP context request for APN 'inet46' 20171212153506146 DGGSN <0002> ggsn.c:625 PDP(901700000009031:5): Successful PDP Context Creation: APN=inet46(inet46), TEIC=1, IP=fde4:8dba:82e1:2002:: 20171212153507420 DGGSN <0002> ggsn.c:702 PDP(901700000009031:5): Packet received on APN(inet46): forwarding to tun tun46 20171212153507566 DTUN <0001> ggsn.c:673 Received packet for APN(inet46) from tun tun46 with no PDP contex!! 20171212153511662 DTUN <0001> ggsn.c:673 Received packet for APN(inet6) from tun tun6 with no PDP contex!! 20171212153513120 DGGSN <0002> ggsn.c:342 PDP(901700000009031:5): Deleting PDP context 20171212153513121 DLGTP <000d> pdp.c:255 Begin pdp_tiddel tid = 5130900000007109 20171212153513121 DLGTP <000d> pdp.c:262 End pdp_tiddel: PDP found 20171212153515861 DGGSN <0002> ggsn.c:782 signal 2 received 20171212153515861 DGGSN <0002> ggsn.c:786 SIGINT received, shutting down 20171212153515861 DGGSN <0002> ggsn.c:115 APN(internet): FORCED Stopping 20171212153515861 DGGSN <0002> ggsn.c:108 PDP(0000000000000000:0): Sending DELETE PDP CTX due to shutdown
Files
Actions